I noticed that GVM reports product CPE in a wrong format when it is a patch version.
For example, following is the CPE that GVM built for OpenSSH Server 8.9p1: cpe:/a:openbsd:openssh:8.9p1. The correct CPE should be cpe:/a:openbsd:openssh:8.9:p1.
Yeah. I’m very sorry for my misunderstanding. I searched the CPE in NVD - Search (nist.gov) but could not find it, then I rushed to conclude that the CPE format is wrong. Now I can find information about OpenSSH Portable here: OpenSSH: Portable Release. Thank you for explaining.
Strange enough it seems that the NVD had switched from using the “correct” CPE cpe:/a:openbsd:openssh:4.4p1 to using cpe:/a:openbsd:openssh:4.4:p1 like seen in e.g.:
@panajo1017 You might want to contact the NVD via https://www.nist.gov/about-nist/contact-us to get this corrected back so that the p1 isn’t added to the Update Component part of the CPE because p1 is actually not an update / patch as we have now concluded.